[MEDIUM] Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter

PKSA-pyk9-2q1t-drry CVE-2026-40099 GHSA-w942-j9r6-hr6r

Affected package: getkirby/cms

Affected version: >=5.0.0,<5.4.0|<4.9.0

Reported by:
GitHub